diff --git a/.github/workflows/assets.yml b/.github/workflows/assets.yml
index 93441996..7aa87946 100644
--- a/.github/workflows/assets.yml
+++ b/.github/workflows/assets.yml
@@ -1,5 +1,8 @@
 name: Release assets
 
+permissions:
+  contents: write
+
 on:
   push:
     tags:
diff --git a/.github/workflows/build-publish-dispatch.yml b/.github/workflows/build-publish-dispatch.yml
index f08aaf73..60de02c6 100644
--- a/.github/workflows/build-publish-dispatch.yml
+++ b/.github/workflows/build-publish-dispatch.yml
@@ -1,5 +1,9 @@
 name: Build and publish Docker images on demand
 
+permissions:
+  contents: read
+  packages: write
+
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml
index 22dfb981..cde01a55 100644
--- a/.github/workflows/build-publish.yml
+++ b/.github/workflows/build-publish.yml
@@ -1,5 +1,9 @@
 name: Build and publish Docker images
 
+permissions:
+  contents: read
+  packages: write
+
 on:
   workflow_dispatch:
   schedule:
diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml
index 6ef7c569..03324bcf 100644
--- a/.github/workflows/dockerhub-description.yml
+++ b/.github/workflows/dockerhub-description.yml
@@ -1,5 +1,8 @@
 name: Update Docker Hub Description
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index b8b48e9a..965a923d 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,5 +1,8 @@
 name: Tests
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: